Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis) distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples may include generic security advice, specific security warnings, development practices, and application tuning. The only caveat on reuse of information from this site is in accordance with the following paragraph.
Use and reuse of information from this site requires written acknowledgement of the source for printed materials, and a hyperlink to the parent Sûnnet Beskerming page for online reproduction. Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the site owner. Personal and educational use is granted without additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement is encouraged from site users as to what amounts to "fair use". Please contact us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your reproduction.
April Roundup - 25 Apr 2005
April has been a busy month from a number of points of view. Identity theft and personal privacy breaches continue to get worse, with recent problems for Ameritrade, Carnegie Mellon University, Iron Mountain, and Polo / Ralph Lauren and HSBC surfacing since the article on identity theft was written.
Ameritrade, an online brokerage firm, lost a backup tape which contained up to 200,000 individual account details, covering the period 2000 - 2003. Ameritrade knew of the loss back in February, however the loss did not get widely reported until April. The claim is that a freight company lost the tape during shipping to an archive location, and it has been subsequently destroyed, or is being held by the freight company for Ameritrade to collect.
Only in the last 96 hours has Carnegie Mellon University and Iron Mountain had the compromise of data publicised. In Carnegie Mellon University's case, more than 5,000 students, staff and alumni (potentially as early as the 1950s) were notified that their personal data, including Social Security Numbers, may have been compromised in a recent network intrusion on April 10. The irony of this case is that the US CERT is based at Carnegie Mellon University (although in an unrelated area). The FBI is now involved with the investigation. In addition to the identified 5,000 - 6,000 identities compromised, another 14,000 - 15,000 students may have had sensitive data exposed from 1985 onwards. While not as serious as the first breach, this data may have included job offers, grades, and personal contact information. Given that the Business School, which was compromised, only has 14,000 alumni, essentially everyone associated with the school has had personal information stolen.
Iron Mountain is a US based data backup and storage specialist, providing storage services for a large number of important customers. Iron Mountain did not specify the size of the disclosure, nor the client company that was involved, but did specify that the backup tapes for that customer were lost.
Clothier Polo / Ralph Lauren was the company involved when HSBC North America notified 180,000 "General Motors" brand MasterCard holders that they should cancel their cards and request replacements as previous transaction information had been compromised. It is believed that many more people may have been involved, but it is believed that other credit card providers are waiting for more information prior to notifying their clients.
Other breaches over the last two months which have not been publicised widely include US health care provider San Jose Medical Group, and 106,000 alumni from Tufts University in Boston when an alumn donor database was compromised.
The reason why a lot of these breaches are limited to the United States is due to the reliance upon the abuse of Social Security Numbers, which are personally identifying numbers which can be used for almost any purpose. It is the abuse of them in terms of using them for almost any purpose which is causing major problems for US residents. A SSN can be used for obtaining lines of credit, credit cards, insurance, licences, bank accounts, student loans, and any number of other things that it was not designed for. It would be similar to an Australian being required to provide their Tax File Number every time that they wanted to do anything. Also contributing to the public reporting is the Californian State Law SB 1386, which requires any company doing business with Californian residents to notify them of any breach of privacy information which belongs to Californian residents.
Also making April busy has been problems encountered by different Internet Service Providers as machines on their networks compromised by trojan horse software have been conducting dDOS attacks against their DNS servers. Australia's largest ISP, BigPond, suffered from this attack, and US network Provider Comcast even disappeared from the Internet for short periods of time as they struggled with different network outages and the dDOS attacks. These attacks are not related to the earlier reported issues with the DNS, but have a similar end result - denying useful internet access through domain names. It also results in bandwidth restrictions for customers due to the fake data clogging the networks. The earlier DNS issues are still being debated with the ISC continuing to assert that DNS cache poisoning was occuring, and that it still is, with some new reports in the last 24 hours. Other agencies and bodies are denying that it was an issue, including Microsoft and Symantec, the two companies whose products were deemed vulnerable by the ISC.
The April columns will be archived next week, and a link will be provided in the navigation menu on the left of the screen, should you wish to access the archived data.
Ports and Sockets - 18 Apr 2005
How networked computers share information and perform a range of tasks through a thin wire attached to them can seem like a dark art at times. The simplest analogy is to think of your computer like a bank. Inside of the bank there are many different things going on, but any time that information is coming in or going out across a network, it goes through the tellers.
Network connections are made through ports, which can be considered analogous to the teller windows. Ports are numbered, from 1 to 65535, with different protocols and information types that are specifically linked to certain ports. For example, some common ports are:
- Port 25 is associated with SMTP which is used to send and receive email messages.
- Port 80 is associated with HTTP which should be recognisable as the means by which you accessed this site, and most other sites on the internet.
- Port 443 is associated with HTTPS which is http over SSL (Secure Sockets Layer) or TLS (Transport Layer Secure), and is what you might recognise from online commerce or banking sites.
Just like teller windows in a bank, ports can be open or closed. If a port is closed, it can not have an active network connection, unless something inside the system specifically opens the port. With a valid IP address and an open port, a socket will exist. The socket can be considered to be the bank teller, who can take information from outside the system, pass it internally, and then pass information back out of the system. Any time that a computer has a port open, it is possible for a remote system to send information to that port, and try and exploit the service listening to that port.
An example of this is the RPC service which is active by default on Windows XP installations. In the default install environment, this service is exploitable by a remote hacker. This means that if you bought a new computer which had Windows XP as the operating system, and you plugged it into an internet connection without patching it, or firewalling off the service, then you would eventually find that someone would gain control of your computer via this security hole, usually within an hour of connecting it. Unfortunately, the RPC service is critical to the smooth operation of a Windows XP system, so it can not simply be turned off. However, some operating systems will not allow connections from remote systems to certain ports, even though they are open, and have a socket (bank teller) present. Such systems include OS X and various Linux distributions.
Now that network connections from a computer can be understood as being like tellers in a bank, it is time to consider how these connections can be used and abused by various agents. The first abuse of network connections is a DOS attack. This is where so much information is being pushed into the port that the system can not handle it and either stops supplying information, or can only reply to a small proportion of requests. This is like thousands of people trying to withdraw / deposit / find balance amounts all at the same time from the same teller. Eventually the teller will not be able to cope with the amount of information.
The next step from this is a dDOS attack, where requests come in from as many different systems as possible to the one port. A simple DOS is easy to stop as it all comes from one address, and that address can be blocked, like a bank security guard stopping someone from harassing a teller. When multiple systems are used, it becomes more difficult to separate legitimate requests from fake requests.
The next abuse is a directed attack against a service with the intention of gaining control of the system. This is equivalent to a bank robbery. There are a couple of ways that this attack can take place. In the first case a request can be made to each port in sequence, taking note of which ports respond, and then directing attacks against those services. In our bank analogy, this would mean someone knocking on each teller window in sequence, noting which ones are open - which would definitely be noticed as suspicious activity. The second case is where a directed attack is made against a service on a port in the hope that that particular port is open, and running a service. If the port is closed, then nothing will happen, but if it is open (such as the Windows XP default RPC service), then an attack may be successful. In the bank analogy, this would be someone walking up to a specific window and pulling a gun. If the window is closed, nothing happens, but if it is open, a robbery may take place. A successful exploitation of a service may result in the complete compromise of the system. Once this happens, the attacker can open any port and run any service they want. This would be like a bank robbery where the robbers gained control of the bank, but carried on business, opening various new teller windows for their special friends.
The final abuse that will be considered in this column is a man in the middle attack. This is where a system is placed to intercept all network communication between your computer and any other. This attack can be passive, where simple eavesdropping and logging takes place, or active, where the intercepting system subtly changes the information that is flowing back and forth. Wireless network connections are more susceptible to this kind of attack by the nature of their design.
A firewall can help prevent a number of attacks and compromises from getting through to a system. Unfortunately, a poorly configured firewall provides no security at all. Using the bank analogy, a firewall is equivalent to a security guard who controls access to the teller windows, and the tellers themselves. If his instructions are well laid out, he will be a massive improvement to security, but if his instructions are non-existent, he will contribute nothing. A well configured firewall will prevent access to all ports except the ones specifically allowed for by the system owner. It may also allow connections to be initialised by the system, but not accept connections made by other systems. It should then be able to manage all of this with respect to distinct internet addresses, blocking off address zones which have historically been attacking the system and giving more access to trusted addresses. A firewall can be as simple as an application (a software firewall) that launches at system startup, or it can be built in to networking hardware (a hardware firewall - which is really a specialised software firewall) like modems or routers.
LiveCDs and Online Banking - 11 Apr 2005
Recent news reports are suggesting that a number of Australian financial institutions are considering distributing modified Knoppix LiveCDs to their customers to allow them a more secure online banking experience.
Conceptually this is a very smart move to make, however it is fraught with difficulties that the users who would most benefit from this will find problematic. The LiveCD will provide a means to bypass any keyloggers, spyware or adware that is installed on the machine, since it is booting from the CD-ROM. Presuming that the computer is running a Windows based Operating System, the LiveCD will not run any of the keylogging or spyware software since it is a Linux installation and Windows and Linux are binary incompatible for most software applications. Binary compatibility allows two different operating systems to run the same application file as if it were designed for the system. For example, Windows 98 software is mostly binary compatible with Windows XP. This means that you can run most of your Windows 98 software on your Windows XP installation without any problems. Similarly, because they are binary incompatible, you are not likely to be able to run any OS X software on a Windows XP system.
Knoppix LiveCDs are generally designed to be read only (i.e. CD-R), and although it is possible to operate without using the hard drive, the advanced management tools that Linux distributions tend to come with highlight a major risk for inexperienced users to cause major damage to their existing Operating System installation. The variant being proposed for the Australian financial institutions apparently will have most of these tools removed to prevent inadvertent system destruction or damage by inexperienced users.
From another perspective, the LiveCD will not be useful to users in a corporate setting where IT policy may be established to prevent computer terminals from booting from the CD ROM drive. There are a couple of reasons why this may be the case:
- It will also drop any terminal off the network - likely preventing any external internet access.
- It would be considered a major internal security breach for the network, and that system in particular. The unknown tools that a bootdisk may contain would be the primary concern for corporate IT departments, as it could allow the user to retrieve passwords, bypass local restrictions, modify system files, and have complete access to the local system.
For home users, using this disc means that they will need to reboot their system each time that they want to access the bank's internet site. By tuning the CD to automatically detect a wider range of hardware, it means a greater range of systems that the disk will operate on. However, by being read only, it means that there is limited scope to update or tune drivers so that it can be used on an unsupported system. Configuring the network connection will also be required for each and every time that the user accesses the bank site. Most users would be hard pressed to recall the applicable dial up, or ADSL / Cable, configuration requirements for their particular ISP. Some ISP's continue to deny support to Linux / Unix installs which will cause further problems for end users who attempt to seek ISP support for using the disk.
Should a Knoppix disk require updating, the bank will need to redistribute disks to all customers (which would be cost prohibitive), as it is pointless distributing a writeable LiveCD. For example, a vulnerability was recently identified with the Mozilla family of internet browsers (Mozilla, Firefox, Camino), which dumped the contents of sections of RAM to the web browser. Having a read only system will not stop someone from stealing internet passwords in this case. In testing of this vulnerability it was confirmed that login and password details could be grabbed, and the attack could be completely invisible to the end user, just requiring the user to visit a website. Had LiveCDs been distributed to end users at this point it would have required a complete redistribution, as the primary web browser is vulnerable to disclosure of sensitive information.
This is one of the major weak points of the system. Organised crime syndicates only need to identify clients of that particular financial institution, and distribute a disk which is an 'update', which has customised hosts files which point to the syndicates site of preference, which is set up to act as a man in the middle attack, or to imitate the banking site and intercept the login information prior to redirecting to the main banking site. Alternatively, the software tools could be vulnerable versions, and a rootkit could be installed which allows the syndicate full control of the computer even though the user is using the LiveCD.
Security is just not achievable using LiveCDs.
A better solution is to use the approach that a number of European banks use, in that a one time pad is used when the user logs in to the online banking site, which becomes two factor authentication (something the user has - the one time pad, and something the user knows - the login password). The one time pad is a card that the user obtains from their bank, which has a set of unique passwords on it. Each time a password is used up, it is crossed off and can not be used again. This forces a thief to actually obtain the card in addition to the online login / password, which greatly restricts the geographic area that the attack can be carried out in.
The Esperanto Security suite offers authentication mechanisms ranging from single factor authentication, through to triple factor authentication (using a third party to verify the identity of the user), and is suited to application in the online financial environment.
Identity Theft - 04 Apr 2005
Most people are aware to be cautious with their credit card details, in case someone steals them and fraudulently spends money using the details. This is important, as it is the source of most of the identity theft cases reported each year. Fewer people, however, are aware that they need to be just as cautious with their online banking details.
Particular caution should be applied if you want to access your bank account from an internet cafe, internet kiosk, or other public internet terminal. The quick solution is - don't do it. It is not possible to be sure of what software is running on a public terminal, and the simple rule of thumb is to not do anything which you would not want anybody else to see, or replicate. Your home terminal may not be much better if it is running any spyware, adware, viruses, worms or other malicious software. One of the most common payloads that these applications tend to include is keylogging software.
Keyloggers are applications which watch a computer, keep track of all keys pressed, and then report back to an email address, or wait for a specific user to access the system, with a complete list of all keys pressed over a certain period. Information that can be captured from such an application includes bank account details, login / password combinations for any application / website that was used, including webmail, ssh, telnet, or any number of other services. The implication of this is that the malicious user could have complete access and ability to control your online identity.
There are a number of steps that can be taken to mitigate these problems for public terminals. If you have access to the CD-ROM drive, and are allowed to reboot the system, the use of a Linux LiveCD is an option. A LiveCD is a CD-ROM which contains a full operating system, and can be used to boot a computer into a Linux desktop, complete with internet browser, and other tools based on different requirements. To use this, it is essential that you know how to connect to the network, and you have permission to use it on the computer. If there is no problem, the use of the LiveCD will bypass any malware (malicious software) on the hard disk of the computer, which means that any keylogging software that is present will be disabled while the LiveCD is being used. If use of a LiveCD is not permitted, ensure that you have a temporary login / password combination that you will only use for that one time access from the terminal, and change it immediately, as soon as you have access to your normal terminal, and check to make sure that no one has accessed your account in the meantime.
In addition to the problems caused by malicious software tracking the progress of computer users, phishing emails are becoming a greater risk to computer users, with users who are less technically proficient being at a greater risk of losing information. Whilst related to spam (also known as UCE - Unsolicited Commercial Email), phishing emails usually appear to be legitimate emails from financial institutions or other online entities such as eBay or PayPal. The content of a phishing email can vary, but generally follows one, or a combination, of the following basic forms:
- Your account has been subject to a number of hack attempts, and you need to login to validate your account and contact details.
- The financial institution has changed their account management procedures, and you need to login to validate your contact details.
- Your account is going to be terminated if you do not login and validate your account.
The links in the email will use any number of tricks to hide the address of the site that the link will take you to when you try to login and validate your details. The site that you are taken to will not be the site of a financial institution, or of PayPal, or eBay, but will be owned by the phisher, despite its appearance otherwise. If you enter your details, it will enable them to control your bank accounts and allow for full identity theft. The From: or Reply-To: email addresses may give some clues that the phishing email is not legitimate. If you are not convinced that the email is false, the best way to make sure is to manually type in the address of the site into your web browser. If it is a real email, then you should see something on the homepage relating to your email. If you don't, then you should just ignore the email and delete it. The compromise of your private finances, and personal identity, are not worth a simple login / password combination.
Even if you take care of all of your details, and follow the above advice, it is still possible for you to have your identity stolen, and there isn't very much that you can do about it. March 2005 saw a significant number of major breaches of corporations, universities and other institutions being reported. The breaches related to theft of privacy data relating to large numbers of people who have had business with the agencies, and sometimes the only reason was due to a Californian state law.
In an effort to increase protection of the Californian population, a law was passed which mandated that any company which held personal data of any Californian resident, and suffered a potential theft of that data, was to notify them of that theft. This was to allow Californian residents to check their credit records and attempt to mitigate the effects of identity theft.
Some of the agencies affected included:
- A US credit record management firm, which had at least 100,000 records compromised, with some speculation that the actual number of compromised records is several times higher. These records were sold to fake companies operated by criminal interests.
- A US payroll handler, which exposed more than 25,000 of their customers' payroll records online.
- Bank of America
- Loss of backup tapes containing financial details of 1.2 million US federal employees, including Department of Defence personnel.
- California State University at Chico
- 59,000 students, employees and faculty were notified when remote hackers compromised a computer which held their details.
- Boston College
- 120,000 alumni were notified when a computer was compromised by a remote hacker.
- More than 100,000 customers of this shoe retailer were notified following remote hackers compromising a database.
- George Mason University
- 30,000 students, employees and faculty were compromised when a remote hacker gained access to an internal system.
Cumulatively, millions of individual people had their identities compromised through these breaches, potentially for identity theft. The key fact that ties the above listed breaches together is that none of them involved online transactions by any of the victims. This means that even if you never use the internet for anything at all, you are still at risk of online identity theft.
There is no way to be sure of avoiding identity theft, but applying caution and forethought when handling personally identifying data and financial information will help reduce your risk of exposure. Depending on your location you will be able to obtain copies of your credit records, and you should check them regularly to look for unauthorised credit applications. Likewise, you should regularly review your financial status to check for unauthorised withdrawals. It may also be possible to place a fraud alert on your credit record which will force your record provider to contact you any time that credit is applied for, which will also help aid you in avoiding identity theft.
Components of this report were compiled using figures from The Register.
Domain Name System Server Problems - 29 Mar 2005
Increasingly, over the last few years, there have been reports of attacks being made against DNS (Domain Name System) servers. DNS servers store the correlation between an internet site's IP address, and the string of text that is commonly used to reach that site from an internet browser. This correlation also holds true for all services and protocols running on that IP address, such as :
- http - HyperText Transfer Protocol
- https - HyperText Transfer Protocol Secure
- ssl - Secure Sockets Layer
- smtp - Simple Mail Transfer Protocol
- etc ...
Every computer connected to the internet, or on any network, has an IP address. If this machine is running a web server, it can be surfed to from the internet. For example, the IP address for www.skiifwrald.com is 126.96.36.199. This means that you can browse to this site by entering http://188.8.131.52 into your browser address bar, or entering http://www.skiifwrald.com. By entering http://www.skiifwrald.com, your request is sent to a DNS Server, most likely at your ISP, which then finds that the skiifwrald.com entry has the IP address of 184.108.40.206, and sends the request off to that address. Essentially it is like the telephone directory for the internet, listing names and numbers, and allows you to find sites just by using their name.
It is possible to directly access a site by using the IP address for it, bypassing the DNS server. This will work, even if the DNS server is unavailable, having been poisoned, or otherwise corrupted or non-existant.
There are a couple of possible attacks against DNS servers. The first is a DoS (Denial of Service) attack, where countless spurious requests are made, in an attempt to flood the server and prevent legitimate queries from getting through, with the ultimate goal of preventing the end users from accessing any site by using the domain name. The second attack type is record poisoning (also known as cache poisoning). The master list of domain name to IP address links is updated regularly on the root level servers (the global master record storage), and agencies running their own DNS server will download this record list for their users to access when connecting to the internet. If a hacker can intercept and change this list, provide a false copy, or change the records in the copy of the list, then this will cause major problems for local user access to the internet. The effect of this is that someone could be trying to access google.com, but because the DNS record for google has been modified to point to 220.127.116.11, the user will see skiiwrald.com instead, but the site address in the browser address bar will still show google.com. This then has major implications for security, as a successful poisoning of the DNS record will result in the hacker being able to redirect any site that they wish.
This is essentially the ultimate hack, and if carried out cleanly, may not be identified for a significant period, if at all. For example, if the record is poisoned, and a major financial institution has been redirected, and the attacker has mirrored the financial institution's site, the hacker only needs to intercept the login details for the user, and no one is any the wiser that a successful attack has taken place. Analysis of the logs of the financial institution's site should indicate a disproportionate number of requests coming from a single IP. This can be covered again, by presenting as a proxying service, and by only attacking one or two ISPs at a time, to keep the IP hits down. The recent cases of DNS record poisoning have been amateurish at best, with the redirected sites being sent to illegal medication supply sites. The servers that have been identified as being at greatest risk are those running on Windows NT 4, and Windows 2000, which are, by default, susceptible to the most common DNS record poisoning attacks.
If you have found the above report to be useful, keep an eye out for the following reports which will be published over the next few weeks.
- Whitelists in Mail.app
- Using the inbuilt tools of Mail.app to create and manage email whitelists.